Under what circumstances is a full push from Panorama required?

Under what circumstances is a full push from Panorama required?

3685
Created On 06/24/25 01:33 AM - Last Modified 08/16/25 03:13 AM


Question


  • Panorama can be used to perform selective push or full push to managed firewalls.
  • Under what circumstances is a full push from Panorama required?

Environment


  • Panorama managed Firewalls
  • PAN-OS 10.2 and above
  • Commit and Push operation

Answer


The actions below requires a full push (Push All Changes):

 

  1. A managed firewall is newly onboarded to Panorama
  2. Before a managed firewall is upgraded or downgraded to a version that supports Selective Push (PAN-OS 10.2+).
  3. The config versions on the managed firewalls are outside of the Config Audit Window.
  4. A configuration is loaded partially or fully into Panorama.
  5. A Device configuration is imported into Panorama.
  6. Security policies are moved across Device Groups.
  7. Templates, Template Stacks or Device Groups are renamed.
  8. Panorama HA failover is performed.

Perform a full push from Panorama.

 

  1. Go to Commit.
  2. Click on Push to Devices.
  3. Select the option Push All changes.
  4. (optional) Edit the selection to push only to the specific device(s).
  5. Click on Push.

Additional Information



Export and Push to Mutli-Vsys NGFW cause duplicates Vsyses entries

Demystifying Selective Push on Panorama
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxkUKAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail